Main Vulnerability Database SB2020040914

SB2020040914 - Improper access control in Gutenberg Blocks - Ultimate Addons for Gutenberg plugin for WordPress

Published: April 9, 2020

Security Bulletin ID SB2020040914

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in several AJAX actions in the "ultimate-addons-for-gutenberg/classes/class-uagb-admin.php" script. A remote authenticated attacker can send a $_POST['page'] = 'uag' to the current page and interact with all six AJAX actions, leading to settings change.

This vulnerability affects the following AJAX actions:

uagb_activate_widget
uagb_deactivate_widget
uagb_bulk_activate_widgets
uagb_bulk_deactivate_widgets
uagb_allow_beta_updates
uagb_file_generation

Remediation

Install update from vendor's website.

SB2020040914 - Improper access control in Gutenberg Blocks - Ultimate Addons for Gutenberg plugin for WordPress

Breakdown by Severity

Description

Remediation

References

Please verify you're human